Zone Administration

Zone administration goes hand in hand with host administration. A zone administrator is responsible for one or more DNS zones, and usually delegates the individual hosts for that zone to the host administrator (described in "Host Administration"). The zone administrator must know the details of the zone, including its start of authority and nameserver records, and all its other DNS resource records.

Zone Administrator Role

The zone administrator role is a user who is more familiar with DNS than a host administrator. A zone administrator should be comfortable editing zone resource records, creating and configuring zones and subzones, and configuring primary and secondary (master and slave) DNS servers for these zones. Generally, the zone administrator needs to perform all DNS zone creation and management functions possible with Network Registrar.

Zone administrators also appreciate help in minimizing the configuration information that they need to provide. These zone administrator aids are available in Network Registrar:

•Defining a single zone distribution map of primary and secondary (master and slave) DNS servers for multiple zones—This automates the process of updating the individual DNS servers when adding a zone. Any zone added would create a primary zone, add its resource records to the primary DNS server, and create secondary zones on the secondary DNS servers.

•Managing templates for zone configuration—It is likely that the Start of Authority (SOA) data (nameserver, responsible person, and TTL values) and Name Server (NS) record list will be consistent across all zones managed by a single organization. By providing the ability to define zone templates with common configuration data, the zone administrator needs only to adjust any exceptions for the zone itself.

•Providing validation of the resource record values in a zone.

•Automatically updating the appropriate reverse (in-addr.arpa) zones with Pointer (PTR) records for all of the Address (A) records in the forward zone.

Role Functions

The zone administrator functions are divided into primary forward and reverse zone, secondary zone, zone distribution, and server maintenance tasks, as explained in the following sections.

Primary Zone Functions

The administrator for a primary zone can perform these functions:

•View the list of zones

•Create a primary forward and reverse zone

•Add a subzone to an existing primary zone

•Configure a primary zone

•Edit resource records in a zone

•Delete a primary zone

•Associate a zone with a zone distribution map

•Associate a zone with a zone template

•Associate a zone with an owner, explicitly at or after creation

•Stop, start, and reload the DNS server.

Secondary Zone Functions

The operations on secondary zone objects are mainly needed when Network Registrar does not manage the primary DNS server for a zone, such as with a BIND server or when the primary is in a different administrative domain. The zone administrator can:

•Create a new secondary zone

•Configure a secondary zone

•Delete a secondary zone

•View resource records in a secondary zone

Zone Distribution Functions

The zone administrator can perform these zone distribution tasks:

•Assign a zone to a zone distribution map or directly to secondary servers

•Edit a zone distribution by adding or deleting secondary servers

Role Limitations

The zone administrator role can be constrained to allow administration of a certain list of zones, either specifically listed or more generally described as those with a given owner.

Managing Zones

Adding Zones

Adding a zone involves creating a domain name. You can also define an owner and use a zone template. If you do not use a template, you must also define the Start of Authority (SOA) and Name Server (NS) properties for the zone.

Adding Basic Zone Properties

The first step in creating a zone is to define its domain name, owner, and whether to apply a zone template. Do this on the List/Add Zones page (see Figure 2-6), or, in the case of reverse zones, on the List/Add Reverse Zones page (see Figure 4-2).

Data to Enter

You must enter or select the fields described in Table 4-2 to create a zone. The Name property, marked with an asterisk (*), is required.

Table 4-2 Entries on the Add Zone Page

Entry

Description

Name*

Name of the zone. Enter the zone name as a fully qualified domain name, such as example.com. (including the trailing dot). The name must be unique. Required.

Owner

Predefined tag name of the administrative owner of the zone. Select from the drop-down list. Add these owner tags on the Owners page, described in the "Managing Zone Owners" section. Optional.

Changing Attributes and Adding SOA and Name Server Records for the Zone

If you decided not to use a template for the zone, or you want to override the template, you may want to change the zone name, reselect an owner, or add the zone to a distribution. Creating a zone also involves defining the Start of Authority (SOA) record and the primary nameserver for the zone.

The default or fallback time-to-live of the zone data, if no other TTLs are defined, defaulted to 86400s (2d).

SOA Attributes

Serial Number*

Suggested serial number of the zone's SOA record, which is incremented with each record change. In most cases, this value is 1.

DNS Server Value

Actual serial number the DNS server maintains. You cannot modify this value. To refresh this number, click the Refresh icon () next to the field.

SOA TTL

TTL of the SOA record itself. If not specified, defaults to the Default TTL of the zone.

Nameserver*

DNS nameserver for the zone. You can enter it fully qualified or you can enter just the hostname, which makes it relative to the zone.

Contact E-Mail*

E-mail address of the hostmaster for the zone. Enter it in the hostmaster.example.com. format, or just the hostmaster name, which makes it relative to the zone.

Secondary Refresh

Interval at which a secondary server should try a zone transfer, defaulted to 3h.

Secondary Retry

Interval at which a secondary server should retry a zone transfer if it encounters an error, defaulted to 60m.

Secondary Expire

Interval at which to expire the secondary server's zone records with the lack of zone transfers, defaulted to 7d.

Negative TTL

Time-to-live to use for negative responses.

Nameservers

NS TTL

Default time-to-live of the nameserver, defaulted to 12h.

nameservers*

Add nameservers by entering each host or alias name and clicking Add Nameserver. To delete any resulting nameserver, click the Delete icon () next to its name. Required.

Attributes

(Help for each attribute is also available by clicking its name.)

Zone Transfer

restricted-set

With the restrict-xfer attribute enabled, the set of IP addresses that can request zone transfers. There is no default.

notify

Enables notifying other authoritative servers when this zone changes. The default is what is set for the server, which defaults to enabled.

notify-set

List of additional servers to notify when the zone changes. There is no default.

Dynamic DNS

dynamic

For a primary zone only, enables or disables RFC 2136 dynamic updates to the zone. The default is enabled.

update-acl

Adds or updates one or more access control list (ACL) elements to the zone. The server uses ACLs to control who can perform dynamic DNS updates. Set at the zone level, it overrides the server value. The default is unset, which implies that no one can update the zone.

Subzone Forwarding

subzone-forward

For zones with forwarders set, the normal Network Registrar behavior is to ignore delegation to subzone nameservers and forward queries to these forwarding servers instead. You would normally need to set a resolution exception to the subzone server. This might be impractical for large numbers of subzones. With this attribute set to no-forward, when the server receives a query for any of its subzones, it tries to find relevant subzone NS records, resolve their corresponding IP addresses, and delegate the query to those IP addresses. The default is normal.

Checkpoint

checkpoint-interval

Interval (in seconds) at which to checkpoint the zone (take the latest snapshot of the runtime database). The default is the server setting, which defaults to 3h.

checkpoint-min-interval

Minimum interval (in seconds) between consecutive checkpoints. The default is the server setting.

Scavenging

scvg-enabled

For a primary zone only, enables or disables dynamic resource record scavenging (stale record cleanup) of the zone. The default is false.

scvg-interval

For a primary zone only, with the scvg-enabled attribute enabled, the interval, in seconds, at which the zone is scheduled for scavenging. The default is the server setting, which defaults to 1w.

scvg-refresh-interval

For a primary zone only, with the scvg-enabled attribute enabled, the interval, in seconds, during which the zone can have a timestamp updated to prepare for scavenging. The default is the server setting, which defaults to 1w.

scvg-no-refresh-interval

For a primary zone only, with the scvg-enabled attribute enabled, the interval, in seconds, during which actions such as dynamic or prerequisite-only updates do not advance the timestamp for scavenging. The default is the server setting, which defaults to 1w.

scvg-ignore-restart-interval

For a primary zone only, the interval, in seconds, for which a server restart does not recalculate a start scavenging time. The default is the server setting, which defaults to 2h.

scvg-max-records

Maximum number of records the DNS server will scavenge from one zone during a scavenging interval when scavenging is enabled. There is no default.

scvg-max-records-searched

Maximum number of records to search at one time for a candidate to be scavenged. There is no default.

scvg-pause-interval

Time (in seconds) that scavenging waits after scavenging a set of records, before going on to the next set. There is no default.

Actions to Take

After entering these values, click Add Zone to add the entry, or Cancel to cancel the entry. The created zone appears on the List/Add Zones page. Note that you cannot apply a zone template on this page; you must edit the zone to apply the template.

Editing a Zone

You can edit the zone to add SOA or NS records, or add zone attributes.

Editing SOA and NS Records for a Zone

If a zone does not include SOA or NS records, you can edit the zone to add or modify them.

Creating a Zone Template from a Zone

You can save zone information as a template so that you can re-use it for other zones. You do this from the Edit Zone page. On this page, click Modify Zone and Save Template after you modify the zone information.

On the Save New Zone Template page (see Figure 4-1), give the template a name in the Value field, and click Save Zone Template, or Cancel to cancel saving it. You return to the List/Add Zones page.

Figure 4-1 Save New Zone Template Page

Managing Reverse Zones

For every subnet, you should have a corresponding reverse zone so that the DNS server can resolve a domain name based on its IP address. Adding reverse zones is similar to adding forward zones, except that the reverse zone name is the reverse of the subnet's network address prepended to the in-addr.arpa. zone. For example, the 192.168.50.0 subnet has a reverse zone of 50.168.192.in-addr.arpa.

Network Registrar automatically creates the 127.in-addr.arpa. zone for your local host. You should create reverse zones for all of your subnets.

•View, add, or edit resource records for a zone—Click the View icon () in the Configuration RRs or Active Server RRs column next to the zone name. See the "Managing Resource Records for the Zone" section.

Deleting a Zone

It might become necessary to delete a zone if it is no longer to be managed.

How to Get There

Step 3 Click the View icon () in the Configuration RRs column of the zone name. This opens the List/Add Static Resource Records for Zone page (see Figure 4-3). (If the name and other fields are not visible at the top of the page, expand that area of the page by clicking the + sign next to the Name field.)

Figure 4-3 List/Add Static Resource Records for Zone Page

Tip Records are listed in BIND format, with only the first record in a set labeled with its name, and in DNSSEC order. To reduce or increase the items in the table, change the Page Size value at the bottom of the page, then click Change Page Size.

Data to Enter

Table 4-4 describes the fields and selections on the List/Add Static Resource Records for Zone page.

Table 4-4 Entries for Zone Resource Records

Entry

Description

Name

Name of the static resource record. Must be unique and fully qualified, for example, the example.com. zone. Required.

State

Always static for static resource records.

TTL

Time-to-live of the resource record. -1 indicates to use the default TTL value defined by the defttl zone attribute. Optional, no default.

Specific data required for each resource record type. For details on the data, see the Network Registrar User's Guide, Appendix A. Required.

Actions to Take

After entering these values, click Add Resource Record to add the entry to the table, or click Cancel to cancel the operation. To delete a resource record, select it in the table and click the Delete icon (), which opens a Confirm Delete page. To return to the zone list, click Return to Zone List.

Data to Enter

Actions to Take

After editing these values, click Modify Resource Record, or click Cancel to cancel the operation. You return to the List/Add Static Resource Record for Zone page. To delete a resource record on this page, select it in the table and click the Delete icon (), which opens a Confirm Delete page.

Adding and Deleting Static Records in a Set

Each resource record can belong to a set identified by the name of the resource record. (Note that this name appears only once, next to the first record in the set.) For example, a record set can have multiple A or PTR records. You can add and delete records in this set.

Step 4 Click the name of the record set to which you want to add additional records. This opens the Edit Resource Record Set in Zone page (see Figure 4-5). (If the resource record name and other fields are not visible at the top of the page, expand the page by clicking the + sign next to the Name field.)

Tip Records are listed in BIND format, with only the first record in a set labeled with its name, and in DNSSEC order. To reduce or increase the items in the table, change the Page Size value at the bottom of the page, then click Change Page Size.

Data to Enter

Actions to Take

After entering these values, click Add Resource Record to add the entry to the table, or click Cancel to cancel the operation. To delete the a resource record, select it in the table and click the Delete icon (), which opens a Confirm Delete page. To return to the zone list, click Return to Zone List.

Step 6 Click the Edit icon () next to the record you want to edit. This opens the Edit Resource Record in Zone page (see Figure 4-4).

Data to Enter

Table 4-4 describes the fields and selections on the Edit Resource Record in Zone page.

Actions to Take

After editing these values, click Modify Resource Record, or click Cancel to cancel the operation. You return to the List/Add DNS Server Resource Record for Zone page. To delete a resource record on this page, select it in the table and click the Delete icon (), which opens a Confirm Delete page.

Adding and Deleting Dynamic Records in a Set

Each resource record can belong to a set identified by the name of the resource record. (Note that this name appears only once, next to the first record in the set.) For example, a record set can have multiple A and PTR records. You can add and delete these records.

Step 6 Click the name of the record set to which you want to add additional records. This opens the Edit Resource Record Set in Zone page (see Figure 4-5). (If the resource record name and other fields are not visible at the top of the page, expand the page by clicking the + sign next to the Name field.)

•To return to the full record list, click Return to Full Resource Record List.

Managing Secondary Zones

If the DNS server is acting as a secondary server for some zones, you might need to manually create one or more secondary zones.

Note If the authoritative server for your secondary zones is also running Network Registrar 6.0, see the "Managing Zone Distributions" section for how to avoid entering these zones manually.

Adding secondary zones is similar to adding forward zones except that the secondary zones must reference a master server. They also include additional attributes that relate to zone transfers from these primary zones. You can list, add, and edit secondary zones.

Listing Secondary Zones

The first step in creating secondary zones is to list the existing ones.

How to Get There

On the Primary Navigation bar, click the Zone tab. On the Secondary Navigation bar, click the Secondary Zones tab. This opens the List Secondary Zones page (Figure 4-7). (Note that the examples given in this section are based on a different zone than in the previous section. The example.com zone assumes that a zone distribution was set up for it. The chicago.example.com secondary zone described in this section is set up manually based on an external authoritative server.)

•To edit a secondary zone, click its name. This opens the Edit Secondary Zone page, which includes the same fields as the Add Secondary Zone page. The Name and auth-servers fields both require values.

Data to Enter

Click the name of the attribute to open contextual help for it, or see Table 4-5. The Name and auth-servers attributes, marked with an asterisk (*), are required to create the secondary zone.

Table 4-5 Entries for Secondary Zone Editing

Entry

Description

Attribute

(Help for each attribute is also available by clicking its name.)

Name*

Name of the secondary zone. Enter the zone name as a fully qualified domain name, such as snake.example.com. (including the trailing dot). The name must be unique. Required.

auth-servers*

List of authoritative DNS servers from which to transfer DNS data for this secondary zone. Separate the server names with a comma. Required.

restrict-xfr

Enable or disable restricting to the specific set of hosts specified in the restricted-set attribute. The default is false.

restricted-set

List of host IP addresses that can request zone transfers, if you enable the restrict-xfr attribute. Separate addresses with a comma. There is no default.

IXFR and NOTIFY

ixfr

Enable or disable requesting incremental zone transfers for this secondary zone. This setting overrides the ixfr-enable attribute setting at the DNS server level. There is no default.

notify

Enables notifying other authoritative servers when this zone changes. There is no default.

notify-set

List of additional servers to notify when the zone changes. There is no default.

Checkpoint

checkpoint-interval

Interval (in seconds) at which to checkpoint the zone (take the latest snapshot of the runtime database). The default is 3h.

checkpoint-min-interval

Minimum interval (in seconds) between consecutive checkpoints. There is no default.

Actions to Take

You can complete adding or editing the secondary zone, and then modify it or delete it:

•To unset any of the fields, check the box in the Unset? column for the field, then click Unset Fields.

•Click Modify Secondary Zone, or to void your changes, click Cancel. You return to the List Secondary Zones page. On this page, you can refresh the list, edit, and d delete the zones.

Creating and Applying Zone Templates

A zone template is a convenient way of creating a boilerplate for primary zones that share many of the same attributes. You can apply a zone template to any zone, and override the zone's attributes with those of the template.

How to Get There

Step 3 Click Add Zone Template. This opens the Add Zone Template page, which includes the same fields as the Add Zone page (see Figure 2-5), except that the template field is missing (you cannot create a template from a template).

Actions to Take

The data to enter and functions to perform are the same as those described in Table 4-3. Give the zone template a distinguishing name, other than a domain name.

To add the zone template information, click Add Zone Template, or Cancel to cancel the operation.

How to Get There

Step 3 Click the name of the template. This opens the Edit Zone Template page.

Actions to Take

Table 4-3 describes the fields to edit and functions to perform. The same defaults apply.

To unset any of the fields, check the box in the Unset? column for the field, and click the Unset Fields button. To save the zone template edits, click Modify Template, or Cancel to cancel the operation.

Managing Zone Owners

Creating zone owners creates a pick list of owners when you create a zone. Each zone can have an owner. An owner can also be a scope or subnet selection tag.

Listing and Adding Zone Owners

You can list and add zone owners on a single page. Creating a zone owner involves creating an owner tag name, full name, and a contact name.

Data to Enter

Actions to Take

To unset any field, check the Unset? box next to the field and click Unset Fields. To modify the zone owner information, click Modify Owner, or click Cancel to cancel the operation.

Managing Zone Distributions

Creating a zone distribution map simplifies creating multiple zones that share the same secondary server attributes. Like a template, the zone distribution map can have a unique name. The distribution map requires adding one or more predefined secondary servers. When you run a zone distribution synchronization, this adds secondary zones to the primary zone.

In Network Registrar 6.0, you can manage only the default distribution and you cannot define any others. The distribution must be in a star topology, that is, one authoritative server and multiple secondary servers. The authoritative server can only be the local primary DNS server where the zone distribution default is defined.

On the Edit Zone Distribution page, the Authoritative Server IP Address list must have the real IP address (or addresses) of the machine on which the primary server is running. You add the secondary servers' IP addresses on the List Secondary Server page. When you synchronize the primary and secondary servers, you should see secondary zones on the secondary servers that correspond to the primary zones on the primary server.

Listing Zone Distributions

You can list zone distributions before synchronizing or managing the servers, or running a report.

•Run—Click the Run icon () to synchronize the servers in the zone distribution. Note that if you delete the primary zone for the authoritative server, synchronizing deletes the secondary zone on the secondary server.

•Report—Click the Report icon () to run a report on the synchronization.

Manage Servers

Click the View icon () to manage the DNS secondary servers in the zone distribution. This opens the List Secondary Servers page (see the "Managing the Secondary Servers" section).

Actions to Take

Note If you find a server error, investigate the server log file for a configuration error, correct the error, return to this page, then refresh the page.

Table 4-8 Columns on the List Secondary Servers Page

Column

Description

Name

Tag name of the secondary server.

IP Address

IP address of the secondary server.

State

State of the server—initialized, running, or disabled. If the Web UI cannot determine the state, a question mark (?) appears.

Health

Relative health of the server, as a color indicator: () for optimal health, () for less than optimal health, and () for stopped. The numbers in parentheses range from 0 (stopped) to 10 (optimum health). If the Web UI cannot determine the server's health, a question mark (?) appears.

Statistics

Click the Report () icon to view statistics for the server. This opens the Statistics for Server page, which shows statistics relevant to the server. You can refresh the statistics using the Refresh icon (). To return to managing the server, click Return to Manage DNS Server on that page. Each statistic item is described in the help window when you click the item name.

View Log

Click the Logs () icon to view the log files for the server. This opens the Log for Server page, which lists the log items for the particular server ordered by date and time. You can step through the log using the arrow keys and change the number of items shown by clicking Change Page Size. You can display the log items in two different ways, a tabular format and in the log file format (which you can better use for cutting-and-pasting to a text file). Toggle between these two display modes using the Logs () icon on the Log for Server page. To return to managing the server, click Return to Manage DNS Server on that page.

Start/Stop/Reload

Click the Start icon () to start or restart the server, click the Stop icon () to stop the server, or click the Refresh icon () to reload the server. If the function is unsuccessful, a red X appears in the column.

You can add a secondary server for the distribution on this page. Click Add Secondary Server to open the Add Secondary Server page (see Figure 4-13), or click Return to Zone Distribution List.

CCM SCP port number to communicate with the target secondary server. Check the target system for this port number, which is set during Network Registrar installation. On Windows systems, the installation sets the CNR_CCM_PORT registry key. On Solaris and Linux systems, the installation sets the CNR_CCM_PORT variable in the install-dir/conf/aic.conf file. The default is 1234.

Editing Zone Distributions

You can edit (but not delete) the default zone distribution. You cannot add any other zone distribution.

How to Get There

Step 3 Click the name of the zone distribution. This opens the Edit Zone Distribution page (see Figure 4-14).

Figure 4-14 Edit Zone Distribution Page

Actions to Take

To edit the zone distribution, add IP addresses for the authoritative servers for the secondary zones and click Add IP Address for each one. The authoritative servers in this list are used to set the authoritative servers list (auth-servers) when configuring each secondary zone for the distribution.These addresses are always for the primary server on the local host and should be the real network addresses. Click Modify Zone Distribution to add the addresses, or Cancel to cancel. You will want to resynchronize the distribution on the List Zone Distributions page. This list of authoritative servers is copied to the secondary zone's auth-servers attribute (see Figure 4-8).

Note that if you change the Authoritative Server IP Addresses on the Edit Zone Distribution page after synchronizing the zones, you must change to the same addresses in the secondary zone's auth-server attribute before resynchronizing. This change does not happen automatically.

Managing the DNS Server

You can manage the DNS server, including viewing its health, statistics, and logs; starting, stopping, and reloading it; and editing the server attributes.

Managing the Server Status

You can view the server status and health, and stop, start, and reload the server.

State of the server—initialized, running, or disabled. If the Web UI cannot determine the state, a question mark (?) appears.

Health

Relative health of the server, as a color indicator: () for optimal health, () for less than optimal health, and () for stopped. The numbers in parentheses range from 0 (stopped) to 10 (optimum health). If the Web UI cannot determine the server's health, a question mark (?) appears.

Statistics

Click the Report () icon to view statistics for the server. This opens the Statistics for Server page, which shows statistics relevant to the server. You can refresh the statistics using the Refresh icon (). To return to managing the server, click Return to Manage DNS Server on that page. Each statistic item is described in the help window when you click the item name.

View Log

Click the Logs () icon to view the log files for the server. This opens the Log for Server page, which lists the log items for the particular server ordered by date and time. You can step through the log using the arrow keys and change the number of items shown by clicking Change Page Size. You can display the log items in two different ways, a tabular format and in the log file format (which you can better use for cutting-and-pasting to a text file). Toggle between these two display modes using the Logs () icon on the Log for Server page. To return to managing the server, click Return to Manage DNS Server on that page.

Start/Stop/Reload

Click the Start icon () to start or restart the server, click the Stop icon () to stop the server, or click the Refresh icon () to reload the server. If the function is unsuccessful, a red X appears in the column.

How to Get There

Step 3 Click the name of the server. This opens the Edit DNS Server page (see Figure 4-16).

Figure 4-16 Edit DNS Server Page

Attribute Settings

Help for each attribute is available by clicking the name of the attribute, or see Table 4-11. The attributes are also identified by their CLI names, in parentheses, and many have an indicated default value.

Table 4-11 DNS Server Attributes

Attribute

Description

Forwarders

Sites that must limit their network traffic for security reasons can designate one or more servers to be forwarders that handle all off-site requests before the local server goes out to the Internet. If you use this feature, you must enter the IP address of each forwarder, then click Add Forwarder to add each forwarder.

Recursive queries

Enables or disables forwarding client queries to other nameservers when your DNS server is not authoritative for data in its own cache. If you disable recursive queries, you make your nameserver a noncaching server. Default enabled.

Slave mode

Enables or disables slave mode. Slave mode controls whether the server should be a slave server that relies entirely on forwarders for data not in its cache. This attribute has no effect unless you also specify the corresponding forwarders. Note that you can override slave mode for specific domains with the DNS exception method. Default disabled.

Resolution Exceptions

Name, IP Address(es)

If you do not want the DNS servers to use the standard resolution method to query the root nameserver for certain names outside its domain, use resolution exception. This bypasses the root nameservers and targets a specific server to handle name resolution. If you use this feature, you must enter the name of the domain you want to use for the resolution exception, followed by the IP address or addresses of the nameserver or nameservers for that exception. No default.

Click Add Exception to add each resolution exception.

Root Nameservers

Name,IP Address(es)

Root nameservers know the addresses of the authoritative nameservers for all the top-level domains. When you first start a newly installed Network Registrar DNS server, it uses a set of preconfigured root servers, sometimes called root hints, as authorities to ask for the current root nameservers. These root hints are listed in this section. You can also define internal root servers for your network. If you have a large namespace, adding one or more internal root servers is a good solution, even better than using forwarders. No default.

These attributes control the behavior of the DNS server when it communicates with other DNS servers. Use it either to control incremental zone transfers or send multiple records per Transmission Control Protocol (TCP) packet. You can set these attributes for each foreign server:

•Multirec—Whether to send a remote server zone transfers (AXFR) with multiple records in one TCP packet. Older DNS servers crash when they receive such transfers, despite being allowed by the protocol. Optional, initial default disable.

•IXFR—Whether a foreign server supports incremental transfer and to query it for incremental (IXFR) before full (AXFR) when asking for zone transfers. Although unwittingly setting this to true is generally harmless, doing so may result in additional transactions to accomplish a zone transfer. Optional, initial default disable.

If you are using this feature, add the IP address and netmask of the foreign server, then select if you want multirec or ixfr support. To add each foreign server, click Add Foreign Server.

Network Settings

Listening port

Number of the UDP and TCP port on which the DNS server listens for queries. Default 53.

Remote DNS servers port

Number of the UDP and TCP port to which the DNS server sends queries to other servers. Default 53.

Query source IP address

Source IP address from which, when resolving names for clients, the DNS server sends queries to other servers. A value of 0.0.0.0 indicates that the operating system will use the best local address, based on the destination. No default.

Query source UDP port

UDP port number from which the DNS server sends queries to other servers when resolving names for clients. A value of zero indicates the need to choose a random port. If this attribute is unset, the port used to listen for queries sends the queries (see the Listening port attribute). No default.

Zone Defaults

Zone checkpoint interval

Interval (in seconds) at which to checkpoint zones (take the latest snapshot from the runtime database). The checkpoint interval set at the zone level overrides this value. Default 19800s (3h).

Request incremental transfers (IXFR)

Controls the incremental transfer behavior for zones for which you did not configure a specific behavior. If incremental transfer is enabled, then you must also set the value of the ixfr-expire-interval attribute or accept the default value. Default enabled.

Send zone change notification (NOTIFY)

Controls sending NOTIFY messages for zones incurring a change. You must also set the other notify-xxx attributes or accept their defaults. Default enabled.

DNS Update access control

Adds or updates one or more access control lists (ACLs) to the zone. The server uses ACLs to control what networks or operating systems can perform dynamic DNS updates. Set at the zone level, it overrides the server value. No default.

Zone scavenge interval

With scavenging enabled, the interval, in seconds, at which the zone is scheduled for scavenging. The zone setting of the same attribute overrides this setting. Range 1h through 1y. Default 1w.

Zone scavenge refresh period

With scavenging enabled, the interval, in seconds, during which the record can have a timestamp refreshed. The zone setting of the same attribute overrides this setting. Range 1h through 1y. Default 1w.

Zone scavenge no-refresh period

With scavenging enabled, the interval, in seconds, during which actions, such as dynamic updates, do not refresh the timestamp on a record. The zone setting of the same attribute overrides this setting. Range 1h through 1y. Default 1w.

Zone scavenge reload allowance

Interval, in seconds, for which a server restart does not recalculate a start scavenging time. Default 2h.

Logging

Log settings

Determines which events to log, as set using a bit mask. Logging additional details about events can help analyze a problem. However, leaving detailed logging enabled for a long period can fill the log files and affect server performance. The log categories (and their default status) are:

•server-operations—General high server events, such as those pertaining to sockets and interfaces. Default enabled.

•lame-delegation—Lame delegation events, although enabled by default. Disabling this flag could prevent the log from getting filled with frequent lame delegation encounters. Note that this has the same effect as setting the lame-deleg-notify zone attribute. Default enabled.

Controls whether you want the DNS server, when composing a response to a query, to fetch missing glue records. Glue records are A records with the address of a domain's authoritative nameserver. Normal DNS responses include NS records and their A records related to the name being queried. Default disabled.

Report lame delegation

Controls whether to notify when a server listed in a parent zone's delegation of subzones does not know that it is authoritative for the zone. Note that this has the same effect as setting log-settings=lame-delegation. Default enabled.

Enable round-robin

Controls whether to round-robin equivalent records in responses to queries. Equivalent records are records of the same name and type. Because clients often only look at the first record of a set, enabling this attribute can help balance loads and keep clients from forever trying to talk to an out-of-service host. Default enabled.

Max. resource record caching TTL

Maximum amount of time to retain cached data. Default 1w.

Max. negative answer caching TTL

Sets an upper bound on the amount of time that a Network Registrar DNS server caches a negative response. (Replaces the neg-cache-ttl attribute used in previous versions of Network Registrar, but not compliant with RFC 2308.) The allowable range in seconds is 0 to 2147483647 (68y). A value of 0 indicates no upper bound. Default 1h.

Max. memory cache size

Size of the memory cache, in kilobytes. Default 200.

Advanced Options and Settings

Relax UPDATE zone name validation

Controls relaxing of the RFC 2136 restriction on the zone name record for dynamic updates. When enabled, this allows updates to the top of the zone. Default disabled.

Save negative cache entries to disk

Controls whether to have the server store negative-query-results cache entries in its cache.db file. If disabled, the server discards negative cache entries evicted from the in-memory cache instead of storing them in the cache.db file. Default enabled.

Fake responses for IP address-like names

Controls whether the server, if queried for a domain name that resembles an IP address (for example, an A record like 192.168.40.40), automatically responds with a NXDOMAIN status without even trying to query (or forward to) other servers. Default enabled.

Simulate UPDATES to zone-top name

For Windows 2000 Domain Controller compatibility, when processing a dynamic update packet that attempts to add or remove A records from the name of a zone, respond as if the update was successful, rather than with a refusal, as would normally occur from the static/dynamic name conflict. No update to the records at the zone name actually occurs, although the response indicates that it does. Default disabled.

Enable subnet sorting

Controls whether to re-order address records in responses to queries based on the subnet of the client. Because clients often only look at the first record of a set, enabling this attribute can help localize network traffic onto a subnet. This attribute applies only to answers to queries from clients located on the same subnet as the DNS server. Default disabled.

NOTIFY max. changes to accumulate

With NOTIFY enabled, the maximum number of UPDATE changes to accumulate during the notify-wait period. If this number is exceeded, Network Registrar sends notification before the notify-wait period passes. Default 100.

NOTIFY wait for more changes

With NOTIFY enabled, the period of time to delay, after an initial zone change, before sending change notification to other nameservers. Use this attribute to accumulate multiple changes. Default 5s.

NOTIFY send min. interval

With NOTIFY enabled, the minimum interval required before sending notification of consecutive changes on the same zone to a particular server. Default 2s.

NOTIFY delay between servers

With NOTIFY enabled, the interval to stagger notification of multiple servers of a particular change. Default 1s.

NOTIFY IXFR-only interval (secondary zones)

Longest interval to maintain a secondary zone solely with incremental transfers. After this period, the server requests a full zone transfer. Default 1w.

Rate limit on NOTIFY receive (secondary zones)

With NOTIFY enabled, for secondary zones, the minimum amount of time between the completion of processing of one notification (serial number testing or zone transfer) and the start of processing of another notification. Default 5s.